xiangfu0 commented on issue #18593: URL: https://github.com/apache/pinot/issues/18593#issuecomment-4597126458
We've cut **Apache Pinot 1.5.1** as a security patch on top of 1.5.0 to address the CVEs reported here. It's published as a pre-release while it goes through the Apache release vote: 👉 https://github.com/apache/pinot/releases/tag/release-1.5.1 **Fixed in 1.5.1** (dependency bumps from the 1.5.0 baseline): | Dependency | 1.5.0 → 1.5.1 | CVEs addressed | |---|---|---| | Netty | `4.1.122.Final` → `4.1.134.Final` | CVE-2025-55163, CVE-2025-59419, CVE-2026-33870, CVE-2026-33871, CVE-2026-42579, CVE-2026-42583, CVE-2026-42584, CVE-2026-42587 | | Log4j Core | `2.25.3` → `2.26.0` | CVE-2026-34478, CVE-2026-34479, CVE-2026-34480, CVE-2026-34481 | | async-http-client | `3.0.7` → `3.0.10` | CVE-2026-45300 | | Apache HttpClient 5 | `5.6` → `5.6.1` | CVE-2026-40542 | **Not fixed — Jetty CVE-2026-2332:** the Jetty 9.4.x branch is end-of-life with no patch available (advisory GHSA-355h-qmc2-wpwf; only Jetty 12.0.33 / 12.1.7 are fixed). In Pinot, Jetty is a managed dependency for the optional Hadoop/Spark/Pulsar ingestion plugins only — Pinot's own HTTP layer uses Grizzly/Jersey — so the HTTP/1.1 request-smuggling vector does not apply to Pinot's broker/server/controller/minion services. A real fix requires a Jetty 9 → 12 migration, which is too invasive for a patch release; we'll track that separately for a future minor. As noted earlier, these bumps are already on `master` (1.6.0-SNAPSHOT); 1.5.1 back-ports them to the 1.5.x line. Once the vote passes, 1.5.1 will be promoted to the final release and Maven Central. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
